[OpenID] general Digest, Vol 37, Issue 19

[John Bradley]

LoA 1 is purely pseudonymous.   The IdP need not have any idea who the  
user is.

The only requirement is that they secure the account so that it is the  
same user each time.

With delegation the OP has no visibility into the policy of whoever  
controls the upstream URI.

Yahoo as an example cant assert to the RP that it is the same person  
controlling the identifier as last time .

That is one of the problems of delegation.

The PII one is the other.

Each federal site must undergo a privacy impact assessment if they  
collect anything other than customization information about the user  
lang etc.

They also have requirements not to correlate information across  
agencies.

A site needs to have special dispensation though a Privacy impact  
assessment review to collect other sorts of information.

We wanted to be able to make openID available across the broadest  
number of sites.

The Privacy guidelines also require a OP to allow a user to decline  
sending attributes.

Remember from the governments point of view this is about using  
identities that people already have.

People are not required to get openID's or disclose anything to OPs.

Passing attributes is a connivence for the user to aid a registration  
process.

Users will still be able to create accounts directly with usernames  
and passwords.

We worked hard to launch with a good representation of the existing  
OPs so that people would not be forced to get new accounts.

We did not get all of the large OPs yet.  They can speak to there  
reasons for not participating at this time.

John B.
> Date: Wed, 9 Sep 2009 15:37:30 -0700
> From: SitG Admin <sysadmin at shadowsinthegarden.com>
> Subject: Re: [OpenID] DotNetOpenAuth announces support of the
> 	Government profile of OpenID
> To: Andrew Arnott <andrewarnott at gmail.com>
> Cc: openid-general at lists.openid.net
> Message-ID: <f06110402c6cddc7c7700@[192.168.0.2]>
> Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>
>> The profile is quite paranoid about not exposing any PII, and if the
>> user were allowed to enter anything, that might give away something
>> about the personal identity of the user.  So instead, RPs must use
>> the nascar OP button display, which means all authentications begin
>> with an OP identifier (thus no delegation).
>
> It instantly struck me as an odd concern, this "paranoia" when
> forcing users to communicate through an OP that probably required a
> LOT of PII from the user (and may provide it to "the government" upon
> request). If your PII is in the chain, someone can trace back to you.
> (Vanity domains, to be fair, can be the same - and if you put bad
> information in the Owner field, you may have trouble proving your
> right to that domain, later on.)
>
> Does the profile permit multi-user OP's to make assertions about
> users for whom they have NOT collected any PII?
>
> -Shade

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090909/b86a6f63/attachment.htm>